diff options
author | Mercedes Bernard <mercedesrbernard@gmail.com> | 2023-02-15 13:27:39 -0600 |
---|---|---|
committer | git <svn-admin@ruby-lang.org> | 2023-02-23 08:50:02 +0000 |
commit | d5994eb4362d7aba01c36b1b3a1ec3e7462d70d5 (patch) | |
tree | 3cdcf9e5a0857c04cb4efd8f481696455807ac08 /lib | |
parent | 3d5ec8401f9b7736402a091deb10dc124c4540f4 (diff) | |
download | ruby-d5994eb4362d7aba01c36b1b3a1ec3e7462d70d5.tar.gz |
[rubygems/rubygems] safe marshal gem specs when inflating
https://github.com/rubygems/rubygems/commit/5c5d0c5350
Diffstat (limited to 'lib')
-rw-r--r-- | lib/bundler.rb | 2 | ||||
-rw-r--r-- | lib/bundler/fetcher.rb | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/lib/bundler.rb b/lib/bundler.rb index 95524b7e61..68fcff7840 100644 --- a/lib/bundler.rb +++ b/lib/bundler.rb @@ -39,7 +39,7 @@ module Bundler environment_preserver.replace_with_backup SUDO_MUTEX = Thread::Mutex.new - SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version].freeze + SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version, Gem::Specification].freeze SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed." SAFE_MARSHAL_PROC = proc do |object| object.tap do diff --git a/lib/bundler/fetcher.rb b/lib/bundler/fetcher.rb index a073bae278..e12c15af8a 100644 --- a/lib/bundler/fetcher.rb +++ b/lib/bundler/fetcher.rb @@ -102,11 +102,11 @@ module Bundler uri = Bundler::URI.parse("#{remote_uri}#{Gem::MARSHAL_SPEC_DIR}#{spec_file_name}.rz") if uri.scheme == "file" path = Bundler.rubygems.correct_for_windows_path(uri.path) - Bundler.load_marshal Bundler.rubygems.inflate(Gem.read_binary(path)) + Bundler.safe_load_marshal Bundler.rubygems.inflate(Gem.read_binary(path)) elsif cached_spec_path = gemspec_cached_path(spec_file_name) Bundler.load_gemspec(cached_spec_path) else - Bundler.load_marshal Bundler.rubygems.inflate(downloader.fetch(uri).body) + Bundler.safe_load_marshal Bundler.rubygems.inflate(downloader.fetch(uri).body) end rescue MarshalError raise HTTPError, "Gemspec #{spec} contained invalid data.\n" \ |